来自 KMS 操作的文档GenerateDataKey https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html

We recommend that you use the following pattern to encrypt data locally in your application:

Use the GenerateDataKey operation to get a data encryption key.

Use the plaintext data key (returned in the Plaintext field of the response) to encrypt data locally, then erase the plaintext data key from memory.

这段代码是否足以确保明文密钥在使用完毕后已从内存中删除。

const aws = require("aws-sdk");

const kms = new aws.KMS({...config});

(async () => {

    /** {Plaintext: Buffer, CiphertextBlob: Buffer} **/

    let dataKey = await kms.generateDataKey({...options}).promise();

    let encryptedString = MyEncryptionFunction(dataKey.Plaintext, "Hello World");

    dataKey.Plaintext.fill(0); //overwrite the buffer with zeroes to erase from memory;

})();

function MyEncryptionFunction(key, dataString) {

    let iv = crypto.randomBytes(16);

    let cipher = crypto.createCipheriv("aes256", key, iv);

    return cipher.update(dataString, "utf8", "hex") + cipher.final("hex");

}

假设 aws sdk 不会将密钥泄漏/复制到内存的其他部分是否安全，并且与createCipheriv内置加密库的功能相同，因此只需Plaintext用零覆盖缓冲区就足以从内存中擦除密钥？